1
22.7 Legacy Series / Re: WireGuard Road Warrior: peers don't see each other
« on: October 11, 2022, 02:58:52 am »
guys thanks for your answers, you made me think a lot about what I was doing wrong
at the end I understood why it didn't work, it was trivial afterall, but someone could stumble on it, especially if coming from wireguard setup on different routers or a dedicated vm:
before opnsense, I usually set allowed ip of 'wg_server/32' on all peers, and it always worked because I always masqueraded all the traffic with dedicated iptables rule, while openwrt does it automagically with an option
with opnsense, even if I created a dedicated interface for wg, I would in any case need to masquerade all the traffic with a dedicated outbound rule, setting source/destination on 'wireguard net' and translation in the 'wg address'
the simpler alternative is just allowing the entire /24 network on all wg peers, so the traffic can pass through them even if the gateway is not using masquerade on the wg interface
for the same reason, you would anyway need an outbound rule to masquerade the source ip if accessing a wg peer from another network (es. lan) without have to modify the allowed ips of all your peers
at the end I understood why it didn't work, it was trivial afterall, but someone could stumble on it, especially if coming from wireguard setup on different routers or a dedicated vm:
before opnsense, I usually set allowed ip of 'wg_server/32' on all peers, and it always worked because I always masqueraded all the traffic with dedicated iptables rule, while openwrt does it automagically with an option
with opnsense, even if I created a dedicated interface for wg, I would in any case need to masquerade all the traffic with a dedicated outbound rule, setting source/destination on 'wireguard net' and translation in the 'wg address'
the simpler alternative is just allowing the entire /24 network on all wg peers, so the traffic can pass through them even if the gateway is not using masquerade on the wg interface
for the same reason, you would anyway need an outbound rule to masquerade the source ip if accessing a wg peer from another network (es. lan) without have to modify the allowed ips of all your peers